fix(cira): reject CIRA API calls with 403 when CIRA is disabled#1033
Draft
madhavilosetty-intel wants to merge 1 commit into
Draft
fix(cira): reject CIRA API calls with 403 when CIRA is disabled#1033madhavilosetty-intel wants to merge 1 commit into
madhavilosetty-intel wants to merge 1 commit into
Conversation
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #1033 +/- ##
==========================================
+ Coverage 41.66% 41.69% +0.03%
==========================================
Files 135 136 +1
Lines 12433 12442 +9
==========================================
+ Hits 5180 5188 +8
- Misses 6698 6699 +1
Partials 555 555 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Add a middleware on the CIRA route groups that returns 403 with "CIRA is disabled on this instance" when the flag is set. Routes stay registered so the OpenAPI spec remains accurate; the 403 response is declared on the CIRA config and certificate endpoints.
madhavilosetty-intel
force-pushed
the
fix/disable-cira-api
branch
from
1ffdbfd to
e1ed4d8
Compare
There was a problem hiding this comment.
Pull request overview
This PR enforces APP_DISABLE_CIRA at the HTTP API layer by adding a Gin middleware to reject CIRA-related endpoints with HTTP 403 when CIRA is disabled, while keeping routes registered so the OpenAPI spec remains complete.
Changes:
- Added a
ciraDisabledMiddlewarethat returns403 {"error":"CIRA is disabled on this instance"}when CIRA is disabled. - Wired the middleware into the v1 Gin route groups for CIRA config and CIRA root cert endpoints, and updated route constructors to accept
*config.Config. - Updated OpenAPI route options for CIRA endpoints to declare the 403 response; added/updated unit tests for the disabled behavior.
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| internal/controller/openapi/route_options.go | Adds CIRA-specific protected route options including documented 403 when disabled. |
| internal/controller/openapi/ciracert.go | Switches CIRACert OpenAPI route to use the CIRA-specific protected options. |
| internal/controller/openapi/cira.go | Switches CIRA config OpenAPI routes to use the CIRA-specific protected options. |
| internal/controller/httpapi/v1/ciradisabled.go | Introduces the Gin middleware and shared disabled message. |
| internal/controller/httpapi/v1/ciraconfigs.go | Applies the middleware to the CIRA configs route group; updates constructor signature to accept config. |
| internal/controller/httpapi/v1/ciraconfigs_test.go | Updates constructor calls and adds a 403-on-disabled test case. |
| internal/controller/httpapi/v1/ciracert.go | Applies the middleware to the CIRACert route group; updates constructor signatures to accept config. |
| internal/controller/httpapi/v1/ciracert_test.go | Updates constructor calls and adds a 403-on-disabled test case. |
| internal/controller/httpapi/router.go | Passes cfg into the updated CIRA route constructors. |
Comment on lines
+309
to
+333
| // No expectations: the guard must reject before the feature is reached. | ||
| mockCtl := gomock.NewController(t) | ||
| ciraconfig := mocks.NewMockCIRAConfigsFeature(mockCtl) | ||
|
|
||
| NewCIRAConfigRoutes(handler, ciraconfig, log, &config.Config{App: config.App{DisableCIRA: true}}) | ||
|
|
||
| cases := []struct { | ||
| method string | ||
| url string | ||
| }{ | ||
| {http.MethodGet, "/api/v1/admin/ciraconfigs"}, | ||
| {http.MethodGet, "/api/v1/admin/ciraconfigs/example"}, | ||
| {http.MethodPost, "/api/v1/admin/ciraconfigs"}, | ||
| {http.MethodPatch, "/api/v1/admin/ciraconfigs"}, | ||
| {http.MethodDelete, "/api/v1/admin/ciraconfigs/example"}, | ||
| } | ||
|
|
||
| for _, tc := range cases { | ||
| tc := tc | ||
|
|
||
| t.Run(tc.method+" "+tc.url, func(t *testing.T) { | ||
| t.Parallel() | ||
|
|
||
| req, err := http.NewRequestWithContext(context.Background(), tc.method, tc.url, http.NoBody) | ||
| require.NoError(t, err) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a middleware on the CIRA route groups that returns 403 with "CIRA is disabled on this instance" when the flag is set. Routes stay registered so the OpenAPI spec remains accurate; the 403 response is declared on the CIRA config and certificate endpoints.